![Page 1: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/1.jpg)
microm
odels of software
declarative modelling
and analysis with A
lloy
lecture 1: introduction
Daniel JacksonM
IT Lab for Computer Science
Marktoberdorf, August 2002
![Page 2: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/2.jpg)
2
lightweight m
odels
a foundation for robust, useable programs
elements
›small & sim
ple notations›partial m
odels & analyses›full autom
ation
focus on risky aspects›hard to get right, or to check›structure-determ
ining›high cost of failure
![Page 3: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/3.jpg)
3
cost
assurance
hackingsketchingw
rite-only models
type-checked models
analyzed models
proven models
what assurance costs
![Page 4: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/4.jpg)
4
my w
ork in marktoberdorf context
computation, not interaction
›complem
entary to Harel & Pnueli›relational, not algebraic (cf. Tarlecki and M
eseguer)›underlying idiom
s due to Hoare, Woodcock et al
designed for experts, but not super-experts›like Harel, not Rushby & M
oore›sim
ulation, not just checking
role of mathem
atics›only way to m
ake things simple
›semantics in term
s of sets, and SAT
started this in 1994, and have had some successes
but much less m
ature than ACL2, PVS, Statemate, etc
![Page 5: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/5.jpg)
5
features of Alloy
structural›express com
plex structure, static and dynamic
›with just a few powerful operators
declarative›a full logic, with conjunction and negation›describe system
as collection of constraints
analyzable›sim
ulation & checking›fully autom
atic
![Page 6: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/6.jpg)
6
structural
structure is everywhere›highway system
s, postal routes, company organizations,
library catalogues, address books, phone networks, …
structure is becoming m
ore pervasive›self-assem
bling software (eg, Observer pattern)
›mem
ory gets cheaper: address books in every phone
tool researchers have neglected structure›one traffic light is a state m
achine, but a city’s lights are a net
There is no problem in com
puter science that cannot be solvedby introducing another level of indirection, but that usuallyreveals new problem
s --David Wheeler
![Page 7: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/7.jpg)
7
declarative
declarative description›m
odel is collection of properties›the m
ore you say, the less happens
advantages›increm
entality: to say more, add a property
›partiality: doesn’t require special constructs›sim
plicity: no separate language of propertiesSys m
eets Prop: Sys => Prop
why less is more
›less constrained system m
eans implem
entation freedom›less constrained environm
ent means greater safety
![Page 8: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/8.jpg)
8
analyzable
‘write-only’ models
›useful if precise enough›but m
issed opportunity (and wishful thinking)
tool-assisted modelling
›simulate and check increm
entally›catch errors early, develop confidence›optim
ize for failing case: most of m
y examples will be wrong
Alloy’s analysis›fully autom
atic, with no user intervention›concrete: generates sam
ples & counterexamples
›like testing, sound but not complete
›unlike testing, billions cases/second
![Page 9: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/9.jpg)
9
declarative & executable?
traditionally›declarative XO
R executable›good argum
ents for both
but can have cake and eat it›with right analysis technology
Alloy’s analysis can ‘execute’ a model
›forwards or backwards›without test cases›no ad hoc restrictions on logic
Small Tow
er of 6 Gears, Arthur Ganson
![Page 10: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/10.jpg)
10
a numbering problem
given›docum
ent whose paragraphs are tagged with styles›style sheet that gives num
bering rules for styles
produce›docum
ent with numbered paragraphs
(like my M
arktoberdorf notes)
\part Introduction\section M
otivation\subsection W
hy?\section Overview\part Conclusions\section Unrelated W
ork
\part Introduction\section M
otivation\subsection W
hy?\section Overview\part Conclusions\section Unrelated W
ork
Part A: IntroductionA.1 M
otivationA.1.1 W
hy?A.2 OverviewPart B: ConclusionsB.1 Unrelated W
ork
Part A: IntroductionA.1 M
otivationA.1.1 W
hy?A.2 OverviewPart B: ConclusionsB.1 Unrelated W
ork
![Page 11: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/11.jpg)
11
a candidate solution
style sheet assigns to each style›an initial value for num
bering›optionally, a parent
\part Introduction\section M
otivation\subsection W
hy?\section Overview\part Conclusions\section Unrelated W
ork
\part Introduction\section M
otivation\subsection W
hy?\section Overview\part Conclusions\section Unrelated W
ork
section1
section1 partA
partA
subsection1
subsection1
parent<style:part><init:A><style:section><parent:part><init:1><style:subsection><parent: section><init:1>
<style:part><init:A><style:section><parent:part><init:1><style:subsection><parent: section><init:1>Part A: Introduction
A.1 Motivation
A.1.1 Why?
A.2 OverviewPart B: ConclusionsB.1 Unrelated W
ork
Part A: IntroductionA.1 M
otivationA.1.1 W
hy?A.2 OverviewPart B: ConclusionsB.1 Unrelated W
ork
![Page 12: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/12.jpg)
12
styles
declare styles & parent relationsig Style {parent: option Style}
ask for a sample
fun Show () {som
e parent}run Show
how to define acyclicfun Acyclic [t] (r: t -> t) {no iden[t] & ^r}
constrain parent relation to be acyclicfact {Acyclic (parent)}
![Page 13: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/13.jpg)
13
numbers
introduce numbers
sig Number {
next: option Number
}{this != next}
add numbers to styles
sig NumberedStyle extends Style {init: Num
ber}fact {Style = Num
beredStyle}
ask for a sample
fun Show () {
some parent}
run Show
![Page 14: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/14.jpg)
14
numbering
declare numbering
sig Numbering {
num: Style ->? Num
ber}
ask for a sample
fun ShowNum
bering () {some num
}run Show
Numbering
for 2 but 1 Numbering
![Page 15: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/15.jpg)
15
numbering algorithm
what numbering n’ follows n for paragraph of style s?
›ie, just gave numbering n
›encounter paragraph with style s›m
ust now generate numbering n’
an attempt:
fun Next (n,n': Numbering, s: Style) {
n'.num =
{d: s.^parent, x: Number | x = n.num
[d]} +s -> if no n.num
[s] then s.init else n.num[s].next
}
![Page 16: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/16.jpg)
16
showing next
run Next for 3 but 2 Numbering
n
n’
grandchild style sis num
beredw
ith initial value
![Page 17: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/17.jpg)
17
guiding the simulation
fun ShowNext (n,n': Num
bering, s: Style) {Next (n,n',s)
&& some n.num
[s.~parent]}run Show
Next for 3 but 2 Numbering
nn’
root style sloses its num
berbecause no next!
![Page 18: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/18.jpg)
18
fixing the operationfun Next (n,n': Num
bering, s: Style) {let i = n.num
[s] | some i => som
e i.nextn'.num
= {d: s.^parent, x: Number | x = n.num
[d]} +s -> if no n.num
[s] then s.init else n.num[s].next } style s gets
numbered w
ithinitial value
![Page 19: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/19.jpg)
19
guiding the simulation
fun ShowNext (n,n': Num
bering, s: Style) {Next (n,n',s)
&& some n.num
[s.~parent] && some n.num
[s]}run Show
Next for 3 but 2 Numbering
![Page 20: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/20.jpg)
20
checking a property
if style is not a parent, step is reversibleassert Reversible {
all n0, n1, n: Numbering, s: Style - Style.parent |
Next(n0,n,s) && Next(n1,n,s) => n0.num = n1.num
}
check Reversible
![Page 21: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/21.jpg)
21
trying again…m
ake numbering injective
fact {Injective (next)}
does this fix the problem?
![Page 22: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/22.jpg)
22
counterexample
after numbering n
adjacent stylehas no num
berafterw
ards
![Page 23: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/23.jpg)
23
counterexample, ctd
beforenum
beringsn0 and n1
adjacent style’s number
eliminated, so value
before was irrelevant!
![Page 24: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/24.jpg)
24
masking
check again, assuming styles form
a lineassert ReversibleW
henLine {Injective(parent)&& (som
e root: Style | Style in root.*~parent) =>all n0, n1, n: Num
bering, s: Style - Style.parent |Next(n0,n,s) && Next(n1,n,s) => n0.num
= n1.num}
check ReversibleWhenLine
![Page 25: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/25.jpg)
25
counterexample, again
initialization andincrem
ent aredistinct: theorem
is confused!
![Page 26: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/26.jpg)
26
checking a refactoring
are these equivalent?fun Next1 (n,n’: Num
bering, s: Style) {n’.num
={d: s.^parent, x: Num
ber | x = n.num[d]} +
s -> if no n.num[s] then s.init else n.num
[s].next}fun Next2 (n,n’: Num
bering, s: Style) {all d: s.^parent | n’.num
[d] = n.num[d]
n’.num[s] = if no n.num
[s] then s.init else n.num[s].next
}
ask the tool:assert Sam
e {all n,n’: Num
bering, s: Style | Next1(n,n’,s) iff Next2(n,n’,s)}
![Page 27: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/27.jpg)
27
what happened
incrementality
›write a bit, analyze a bit›constrain just enough
to get key properties›avoids wasted tim
e,encourages sm
all models
analysis prompted questions
›number m
ust have next?›two num
bers have same next?
›style hierarchy a tree? line?
![Page 28: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/28.jpg)
28
declarative vs. operational development
all behaviours;satisfies no safety properties
a safety property
declarative
operational
no behaviours;satisfies all safety properties
![Page 29: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/29.jpg)
29
what’s been done?
analyzing implem
ented systems
›Intentional naming (Khurshid)
›Chord peer-to-peer lookup (Wee)
›Transaction cache (Tucker)
analyzing existing models
›Microsoft CO
M (Sullivan, from
Z)›Firewire leader election (m
e, from Vaandrager’s IO
A)›Unison file synchronizer (Nolte, from
Pierce’s maths)
›UML m
eta model (Vaziri, from
OCL)
›Classic distributed algorithms (Shlyakhter, from
SMV)
typically›200 lines of Alloy, 30-200 hours work
![Page 30: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/30.jpg)
30
example: intentional nam
ing
building
camera
service
ne43
query
n1n0
building
camera
service
ne43printer
database
n0n1
n0
n0
query scheme
›intentional names are trees
›result of query is set of simple nam
es
![Page 31: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/31.jpg)
31
results
what we did›analyzed claim
s made in paper: m
ostly untrue›analyzed algebraic properties: also untrue
eg, add is monotonic
›adapted model for fixes in code: also broken
›developed new semantics & checked it
reflections›initial analysis took 2 weeks and 100 lines of Alloy›found all bugs in trees of 4 nodes or less -- approx 10 secs›2000 lines of tests hadn’t found bugs in a year
![Page 32: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/32.jpg)
32
challenge: get numbering right
fix the numbering m
echanism to handle
›multiple childrensection and figure have parent chapter
›multiple parentssection has parent chapter and appendix
![Page 33: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/33.jpg)
33
what is a m
odel?
a representation of a system›m
ore or less useful, not more or less correct [Fowler]
›useful to the extent that it answers questions [Ross]
role of a model
›to explain & evaluate existing system›to explore design of system
to be built
![Page 34: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/34.jpg)
34
why m
odel?
‘plan to throw one away’ [Brooks]›100 line m
odel or 100k lines of code?›nasty surprises happen sooner
designs with clear conceptual models
›easier to use and implem
ent›allow delegation & division of labour
separation of concerns›conceptual flaws get m
ired in code›not a good use of testing
![Page 35: micromodels of softwared eclarative m od elling and analysis w ith](https://reader033.vdocuments.net/reader033/viewer/2022042707/589c35df1a28ab4e4a8b4b95/html5/thumbnails/35.jpg)
35
lightweight form
al methods
elements
›small & sim
ple notations›partial m
odels & analyses›full autom
ation
focus on risky aspects›hard to get right, or to check›structure-determ
ining›high cost of failure